Hundreds of millions of cars can be easily unlocked by attackers

Security researchers have come up with a way to unlock cars manufactured by vendors around the world, and are set to present their findings on Friday at the Usenix security conference in Austin, Texas.

They have devised two attacks:

• One that target cars of the Volkswagen Group (VW, Seat, Škoda, and Audi), and includes recovering the cryptographic algorithms and keys from electronic control units that allows them to clone the signal that will open the car, and
• Another that takes advantage of the cryptographically weak cipher in the Hitag2 rolling code scheme used by Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, Ford and other car makers. The result of the attack is the same: an unlocked car.

“Our findings affect millions of vehicles worldwide and could explain unsolved insurance cases of theft from allegedly locked vehicles,” the researchers noted.

The attacks are perhaps not extremely easy to execute, as they require specific technical knowledge and effort, but the hardware tools required to pull them off is cheap and accessible to practically everyone.

For example, this Arduino-based RF transceiver costs less than $40, and can eavesdrop and record rolling codes, emulate a key, and perform reactive jamming:

Both attacks can be performed in mere minutes. The researchers did not probe the security of the remote control systems installed on all of the vehicles manufactured by the aforementioned automakers, but those that they managed to compromise are present (in VW’s case) on hundreds of millions of cars, most of which are probably still being driven around.

While these attacks do not allow the attacker to start the car and drive away with it, they can be paired with attacks that allow that, the researchers noted.

Also, stealing valuable objects from inside the car can be pulled off quickly and without leaving a trace on how the car was accessed – victims might even think they forgot to lock the car.

It’s good to note that similar attacks have been demonstrated earlier this year by a group of researchers from ADAC, the largest automobile club in Europe, and before that by researchers from ETH Zurich.

Unfortunately, there is not much car owners can do about this problem, apart from refraining from leaving valuable things in their cars, and from using the remote control system altogether (i.e. choose to unlock their car by using the physical key).

It’s the automakers who should do something about it, but it’s unlikely they will.

“Completely solving the described security problems would require a firmware update or exchange of both the respective ECU and (worse) the vehicle key con- taining the remote control. Due to the strict testing and certification requirements in the automotive industry and the high cost of replacing or upgrading all affected car keys in the field, it is unlikely that VW Group can roll out such an update in the short term,” the researchers noted.

The team says that it’s unknown whether the attacks they devices are currently carried out in the wild by criminals, but that it’s likely they are. “There have been various media reports about unexplained theft from locked vehicles in the last years. The security issues described in this paper could explain such incidents,” they concluded.

For a list of affected cars check out the researchers’ paper.